SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
31 Oct 2017

Malicious Сhrome extension steals data posted to any website

Malicious browser extensions continue to bear fruit for hackers who have been using them to spread banking malware and adware, and hijacking popular add-ons to spread other nasty code.

The latest abuse involves a Google Chrome extension being spread in phishing emails that steals any data posted online by victims. This is a departure from previous attacks that monitor browser activity for specific URLs and extract credentials.

This campaign may be limited to Brazil and other Portuguese-speaking nations, according to Renato Marinho, chief research officer at Morphus Labs and a SANS Internet Storm Center (ISC) handler. Marinho told Threatpost that the phishing message is written in Portuguese and some characteristics associated with compromised computers including directory names leads him to believe the malware used in these attacks originated in Brazil.

“Based on the messages I received on my spam trap, the campaign is ongoing and possible making many victims,” Marinho said.

The emails, Marinho said, include a lure hinting at photos from a weekend event sent over WhatsApp (“Segue as (Fotos Final de Semana ) Enviadas via WhatsApp (30244)”). Should the victim click on the link, a malware dropper called whatsapp.exe is executed and presents a phony Adobe Reader installer, which downloads and installs a .cab file on the victim’s computer. The .cab file is a 9.5MB compressed file that spews a pair of 200MB-plus files once decompressed, Marinho wrote in a report to the SANS ISC site. Most of the code, he said, is bloat in an attempt to bypass anti-malware scanners that avoid large files.

One of the files attempts to disable the Windows Firewall and kill all Chrome processes before installing the malicious browser extension, written in JavaScript. The extension captures all data posted by the victim on any website, Marinho said, before it’s sent to a command and control server using jQuery and Ajax connections.

Marinho added that existing browser security measures such as SSL or TLS won’t protect the victims because the stolen data is captured in clear text inside the browser, before it is sent through HTTPS connection. “That’s another reason this is approach is attractive to cybercriminals,” Marinho said. Marinho said he expects cybercriminals to continue to make use of malicious extensions to access a victim’s personal or sensitive data.

“It wasn’t necessary for the attacker to attract the victim to a fake website with doubtful SSL certificates or deploying local proxies to intercept web connections. Quite the opposite, the user is accessing original and legitimate websites and all the interactions are working properly while data is captured and leaked,” he said. “In my opinion, internet browsers should better control extensions and plugins’ installation processes as the Android and IOS mobile ecosystems do. By default, only the extensions available on official store should be accepted for installation.”


Download SafeUM — communicate privately, without advertising and spam.

Tags:
Chrome fraud information leaks
Source:
Threatpost
1665
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015